Mehrere Fehler in LinBox

[30.03.2004] Mehrere Fehler in LinBox

SEC-CONSULT Security Advisory - LINBIT LINBOX

Vendor: LINBIT Information Technologies GmbH (http://www.linbit.com)

Product: LINBOX

Vendor status: vendor contacted (22.01.2004)

Patch status: Patch available at linbox.linbit.at

Vulnerabilites:

- Authentication circumvention for the administration portal

- Password disclosure for all existing users

- System login through SSH

============

Introduction

============

The LINBOX offers a comprehensive IT solution (internet gateway including

firewall, file server, mail server, proxy server etc.) to companies of any

size with a key priority on security.

Services/Features included in the LINBOX

* Central user administration (no LINUX skills required)

* Compatibility with Windows workstations

* Internet access (ISDN, ADSL, cable or leased line)

* Upon clients request provided with/without proxy server

* Integrated firewall to protect your company network

* Sophisticated internet access control (who is allowed to access the

internet via the proxy server)

* File server for your internal company data

* Print server for a central printer

* Uniform user settings at every workstation (domain controller)

* Simple adding or removing of Windows workstations (name server and

DHCP server)

* Central mail server. Manage e-mail accounts and mailing lists (e.g.

office@..., sales@...)

* Web e-mail to be used via the Internet throughout the world (e.g.

e-mail service during holidays or business trips)

* VPN access for field service or home working (via PPTP protocol)

* Virus scan for all e-mails and files (optional)

=====================

Vulnerability Details

=====================

1) AUTHENTICATION CIRCUMVENTION

===============================

DESCRIPTION:

LINBOX has a webbased administration portal on port 8080 that is accessible

through the internet by default. Opening this page in a browser gives the

user the following options:

- Administration

- Webmail

- Personal Settings

Hitting the link "Administration", the web application requests username and

password. The authentication mechanisms seem to be provided by a AuthMySQL

3.1 Apache module.

However because of a configuration fault, it is possible for an attacker to

bypass the authentication by opening the page //admin/user.pl (note the double

slash at the beginning), which gets the attacker to a list of users. Once on

that page, an attacker could as well just add a user of it's own (with

administration priviledges) and log in comfortably at the front page.

EXAMPLE:

---*---
Http-Request:
http:// demo.linbox.at//admin/user.pl

---*---

REMARKS:

As soon as the attacker has an administrativ account, he can:

- Create/delete/change usrs

- Create/delete/change VPN accounts

- Change the network configuration (IP, default GW, etc.)

- Create/delete/change Samba shares as well as their permissions

- Shut the system down

- Deactivate the virus scanner

 

2) PASSWORD DISCLOSURE FOR ALL EXISTING USERS

=============================================

DESCRIPTION:

As soon as the attacker as access to the users.pl page (as described in 1),

he can read all passwords of all existing users by simply hitting the edit

button for each user. This page contains the password in an HTML password

input box, which the attacker can read in cleartext by viewing the source

code of the HTML page.

EXAMPLE:

<tr><td class="ADMIN-LEFT">Password:</td><td class="ADMIN-RIGHT"<BR>colspan="1"><input type="password" name="adm_Password" value="dieter" />
***-----------------------------------------------------------^^^^^^
</td></tr>
<tr><td class="ADMIN-LEFT">Passwortbestätigung:</td><td class="ADMIN-RIGHT"<BR>colspan="1"><input type="password" name="adm_Passwortbestätigung"<BR>value="dieter" /> </td></tr>
***----^^^^^^

 

3) SYSTEM LOGIN THROUGH SSH

===========================

DESCRIPTION:

As all user accounts on the administrative portal are also system accounts,

an attacker can use a ssh-shell (if available) to login to the system with

the passwords provided in 2).

===============

GENERAL REMARKS

===============

Above findings derive from an external (black box) security test.

we would like to apologize in advance for potential nonconformities and/or

known issues.

====================

Recommended Hotfixes

====================

Patch:

Available from linbox.linbit.at

EOF Daniel FABIAN / @2004

d.fabian@sec-cosult.com

=======

Contact

=======

SEC CONSULT Unternehmensberatung GmbH

Büro Wien

Blindengasse 3

A-1080 Wien

Tel.: +43 / 1 / 409 0307 - 570

Fax.: +43 / 1 / 409 0307 - 590

Mail: office@sec-consult.com

www.sec-consult.com